Escaping JSON Data in POST

Question

I am struggling to POST JSON to my localhost, using Curl from mingw64.

curl -H 'Content-Type: application/csp-report;charset=utf-8' 
--data '{"csp-report":{"document-uri":"https://localhost/test",
"referrer":"https://www.google.com/",
"violated-directive":"default-src self","original-policy":"default-src self; report-uri /csp.php",
"blocked-uri":"http://evilhackerscripts.com"}}' 
'https://localhost/csp.php'

Testing some escaping suggested online, resulted into this output:

curl: (6) Could not resolve host: "referrer"
curl: (3) URL using bad/illegal format or missing URL
curl: (6) Could not resolve host: "https
curl: (6) Could not resolve host: "violated-directive"
curl: (3) URL using bad/illegal format or missing URL
curl: (6) Could not resolve host: "default-src
curl: (6) Could not resolve host: self",
curl: (6) Could not resolve host: "original-policy"
curl: (3) URL using bad/illegal format or missing URL
curl: (6) Could not resolve host: "default-src
curl: (6) Could not resolve host: self;
curl: (6) Could not resolve host: report-uri
curl: (3) URL using bad/illegal format or missing URL
curl: (6) Could not resolve host: ,"blocked-uri"
curl: (3) URL using bad/illegal format or missing URL
curl: (3) unmatched close brace/bracket in URL position 21:

ERROR: This is also what came up earlier. Works to POST from POSTMAN, but not via curl in Windows Command Prompt via mingw64

Notice: Trying to get property 'csp-report' of non-object in C:\www\testing\csp.php on line 11

Notice: Trying to get property 'document-uri' of non-object in C:\www\testing\csp.php on line 11

Notice: Trying to get property 'csp-report' of non-object in C:\www\testing\csp.php on line 12

Notice: Trying to get property 'referrer' of non-object in C:\www\testing\csp.php on line 12

Notice: Trying to get property 'csp-report' of non-object in C:\www\testing\csp.php on line 13

Notice: Trying to get property 'violated-directive' of non-object in C:\www\testing\csp-reporter.php on line 13

Notice: Trying to get property 'csp-report' of non-object in C:\www\testing\csp.php on line 14

Notice: Trying to get property 'original-policy' of non-object in C:\www\testing\csp.php on line 14

Notice: Trying to get property 'csp-report' of non-object in C:\www\testing\csp.php on line 15

Notice: Trying to get property 'blocked-uri' of non-object in C:\www\testing\csp.php on line 15

On my localhost, I have a `csp.php` which reads from `php://input`, and I get unescaped data in the output. While everything works when I send a `POST` from **postman**. — John Smith, Jan 05 '20 at 13:04
Judging from the output, the request does not even reach the server (not at least all of it). It's almost certainly a bash escaping issue. — Álvaro González, Jan 05 '20 at 13:12

score 0 · Accepted Answer · answered Jan 05 '20 at 11:55

0

Maybe you should run the curl command in sigle line like this:

curl -H 'Content-Type: application/csp-report;charset=utf-8' --data '{"csp-report":{"document-uri":"https://localhost/test", "referrer":"https://www.google.com/", "violated-directive":"default-src self","original-policy":"default-src self; report-uri /csp.php", "blocked-uri":"http://evilhackerscripts.com"}}' 'https://localhost/csp.php'

Or, you can add a backslash after every line to tell shell that your command is not over:

curl -H 'Content-Type: application/csp-report;charset=utf-8' \
--data '{"csp-report":{"document-uri":"https://localhost/test",
"referrer":"https://www.google.com/",
"violated-directive":"default-src self","original-policy":"default-src self; 
report-uri /csp.php",
"blocked-uri":"http://evilhackerscripts.com"}}' \
'https://localhost/csp.php'

Hope can help you.

answered Jan 05 '20 at 11:55

Fangxin Jiang

16
3

Hmm, interesting. Didn't think about that. – John Smith Jan 05 '20 at 12:07
Doesn't seem to work! Weird. I am in Windows, no Linux or MAC! – John Smith Jan 05 '20 at 12:23
@ÁlvaroGonzález, regular Windows CMD and mingw64 under the Git directory. – John Smith Jan 05 '20 at 13:16
1

@JohnSmith CMD has very convoluted, not specially well documented and probably incomplete escaping techniques. I've seen questions in the past (which of course I'm unable to find right now) that went nowhere. As hint, the escape character is `^` but you'll have problems with double quotes. – Álvaro González Jan 05 '20 at 14:38
@ÁlvaroGonzález, I am closing this Question now. I will have to seek it elsewhere. – John Smith Jan 06 '20 at 18:39

score 0 · Answer 2 · answered Jun 04 '23 at 17:44

This little script called post.sh worked for me:

#! /bin/bash

US01='bar2'$1'@foo.com'
RE01='{"email":"'${US01}'","password":"111-111"}'

curl -v -H "Content-Type: application/json" \
  -d ${RE01} \
  http://localhost:30025/signup

Call it like this:

./post.sh 51

Passing in a new number creates a new user on the server.

Sample run:

./post.sh 51
{"email":"bar251@foo.com","password":"111-111"}
*   Trying 127.0.0.1:30025...
* Connected to localhost (127.0.0.1) port 30025 (#0)
> POST /signup HTTP/1.1
> Host: localhost:30025
> User-Agent: curl/7.81.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 47
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< X-Powered-By: Express
< Content-Type: application/json; charset=utf-8
< Content-Length: 353
< ETag: W/"161-S6X2031k1pG3b1BJRvOfoUtgcW0"
< Date: Sun, 04 Jun 2023 17:33:15 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
<
* Connection #0 to host localhost left intact 
{
    "uid":"baN8CUel91SAbno4h6qWudA4qIR2","email":"bar251@foo.com",
    "emailVerified":false,"disabled":false,
    "metadata": {
        "lastSignInTime":null,"creationTime":"Sun, 04 Jun 2023 17:33:15 GMT",
        "lastRefreshTime":null
    },
    "tokensValidAfterTime":"Sun, 04 Jun 2023 17:33:15 GMT",
    "providerData":[{
        "uid":"bar251@foo.com",
        "email":"bar251@foo.com",
        "providerId":"password"
    }]
}

Why are you posting this Bash-script when the question is tagged [tag:windows] and [tag:cmd]? The issue here is the wrong use of quotes, [which](https://stackoverflow.com/a/12498151) [has been](https://stackoverflow.com/a/15828662) [answered](https://stackoverflow.com/a/66836733) [numerous](https://stackoverflow.com/a/73671867) [times](https://stackoverflow.com/a/44035580) [already](https://stackoverflow.com/a/62301184). — Reino, Jun 10 '23 at 21:01

Escaping JSON Data in POST

2 Answers2